?

Log in

No account? Create an account
entries friends calendar profile Previous Previous Next Next
Groo - shadows of echoes of memories of songs — LiveJournal
j4
j4
Groo
I am stupid. Apparently I stepped into a security hole. Thanks to burkesworks for pointing it out.

Mind you, the clicky-meme wasn't in Russian when I saw it, so I don't quite understand why all the clever geeks are making bitchy comments about morons who click things they can't even read... it looked like just another crappy What Kind of Pavlovian Reaction to Web Buttons Are You quiz, and I was bored.

Yeah, you can all post followups where you point and laugh at me now. :-(

Current Mood: kicking myself, hard

Read 6 | Write
Comments
ewx From: ewx Date: June 12th, 2004 04:19 pm (UTC) (Link)

The claim that the Russian/sausage one gathers passwords isn't born out by reading the source, at least to the one you had; it just submits an ordinary LJ update form and relies on your browser supplying the LJ cookie to LJ when it's submitted. The bulk of the code is merely time and date handling.

(That the browser passes the cookie when the submission wasn't requested by the user but by a bit of Javascript from some different site is arguably a violation of at least the spirit of Javascript's security model, but I'm no expert on Javascript, so don't take my word on this particular point. That said I do at least know the difference between Javascript and Java, apparently unlike a few of the people I've seen claiming to know what they were talking about on this particular subject.)

The only thing that looks even slightly like a variant that's purported to collect passwords does so by ... having a box for you to type your password into. (A joke, in other words.)

oldbloke From: oldbloke Date: June 13th, 2004 02:12 am (UTC) (Link)
Maybe it's not so much Javascript's fault: isn't it sort-of a parallel to the shatter attack where any open window can assume the privilege level of any other open window, thaks to the way Bill's boys built their execrable OS?
Mind you Janet doesn't use BillOS so...
I have some chores to do.
bjh21 From: bjh21 Date: June 13th, 2004 03:07 am (UTC) (Link)
I'm not pointing and laughing. I'm gibbering softly about the fact that this problem (which doesn't really need JavaScript, incidentally -- that just makes it easier) affects pretty much any authenticated Web application, unless the author has thought of it, which I certainly hadn't.
sesquipedality From: sesquipedality Date: June 13th, 2004 04:11 am (UTC) (Link)
Had to clean a worm off my PC a couple of days back. Since my firewall would prevent this spreading I can only assume I got infected by running an infected binary.

I also deleted my home directory by mistake once.

Don't know if I count as one of the techo-l33t, but anyone can make a mistake. I would've probably done the same.

Some inadequate geeks like to feel superior. What's so smart about having seen a warning before having seen the trap?
oldbloke From: oldbloke Date: June 13th, 2004 06:23 am (UTC) (Link)
Ah, yes, I once copied some files to c:\ by mistake, and in a moment of madness tried to tidy them up by doing del c: and actually saying Y to the question... Of course all the subdirs etc would be OK, but in the version of Windows I did it on there was some fairly vital stuff in the root. Seem to recall being saved by Norton Unerase.
taimatsu From: taimatsu Date: June 13th, 2004 03:36 pm (UTC) (Link)
I'd have done it if it hadn't been that I'm checking so rarely at the moment that by the time I saw those memes they were surrounded on the page by the discussion of the problwms with them. I'd have clicked without a thought otherwise. It's not unreasonable to assume something posted by a friend is not malicious, so I don't think there's anything for people to point and laugh about.
Read 6 | Write